The vast majority of ransomware attacks start with cybercriminals exploiting common cybersecurity bugs. If managed properly, they could have prevented most of the victims from falling prey to attacks.
Microsoft analyzed anonymous data about actual threat activity and, according to a new Cyber Signals report, found that more than 80% of ransomware attacks can be traced back to common misconfigurations in software and devices.
These include applications left in their default state allowing access to the entire network to all users, untested or misconfigured security tools, cloud applications configured in such a way that they can easily allow unauthorized attackers to access them, as well as from organizations, that do not use Microsoft attacks. surface reduction policies that allow attackers to execute malicious code using macros and scripts.
Ransomware as a Service Model
It is these misconfigurations that attackers look for when looking for vulnerable targets for ransomware attacks—often with the added threat of double ransomware, where cybercriminals steal sensitive data and threaten to reveal it if they are not paid.
Microsoft warns that this process has been fueled by the growth of the ransomware-as-a-service (RaaS) ecosystem, which allows attackers without technical knowledge to create and develop their own ransomware to carry out ransomware attacks and extort ransomware.
RaaS kits are relatively easy to find on underground forums and can include customer support, giving criminals all the help they need to get started. Some of these ransomware kits are sold on a subscription basis, while others are based on partnership models where the developers receive a share of the profits from each ransom payment made for the decryption key.
The RaaS market is also extremely volatile, with new threats emerging as established offerings disappear. For example, the report explains that since Conti — one of the most notorious ransomware — appeared to be shut down, the void has been filled by the emergence of other ransomware, including LockBit, Hive, Quantum Locker, and Black Basta.
It’s likely that some of the cybercriminals behind Conti are involved in these new threats targeting organizations around the world, but Microsoft says it’s possible not to fall victim to them.
“While ransomware or double ransomware may seem like the inevitable result of an attack by a skilled attacker, ransomware is a preventable disaster. The fact that attackers rely on security vulnerabilities means that investments in cyber hygiene are highly beneficial,” Cyber Signals said in a report.
To prevent cybercriminals from exploiting common mistakes and misconfigurations, Microsoft details several best practices for improving cybersecurity.
These include closing security blind spots by verifying that cybersecurity tools and procedures are properly configured to protect systems, and disabling macros and other scripts that cybercriminals commonly use to execute malicious code.
It is also recommended to strengthen the security of people, networks and cloud services with multi-factor authentication, which can prevent cybercriminals from using stolen usernames and passwords to navigate the network and lay the foundation for ransomware attacks.
Organizations should also install security patches and updates as soon as possible to prevent attackers from exploiting known vulnerabilities.